Multiple Roles for single User #10098
Replies: 3 comments
-
|
From the docs: To summarize, x-hasura-allowed-roles session variable contains a list of all the roles that the user can assume and the x-hasura-role header tells the Hasura Engine which role to use for the request, and if that is missing then the x-hasura-default-role session variable will be used. This setup makes it more convenient for a JWT to only need to be issued once with a list of allowed roles for the user, and then allow the client to decide which of those roles to actually use for a request. This prevents the user needing to log in again or unnecessary JWT re-issuance. If, for example, your app will not need to switch user roles and the user only needs one role, for instance: user, you can just issue a JWT with x-hasura-default-role set to user and x-hasura-allowed-roles set to ["user"] and not send the x-hasura-role header in the request. This setup is designed so that there is one authoritative way to construct your JWT token for the Hasura Engine which can cover a wide range of use cases. Let me know if this answers your question |
Beta Was this translation helpful? Give feedback.
-
|
Hello,
Thank you for your response.
My issue is exactly the opposite, in my case, the user will have multiple
roles, eg. Editor and Viewer.
in this case, in my JWT token, i will have only x-hasura-allowed-roles,
which will contain these 2 values
if i use this token, hasura engine, throws error: x-hasura-default-role is
required
please let me know how i can proceed
Thank You
…On Mon, Jan 15, 2024 at 12:40 PM Anon Ray ***@***.***> wrote:
From the docs
<https://hasura.io/docs/latest/auth/authentication/jwt/#hasura-jwt-format>
:
To summarize, x-hasura-allowed-roles session variable contains a list of
all the roles that the user can assume and the x-hasura-role header tells
the Hasura Engine which role to use for the request, and if that is missing
then the x-hasura-default-role session variable will be used.
This setup makes it more convenient for a JWT to only need to be issued
once with a list of allowed roles for the user, and then allow the client
to decide which of those roles to actually use for a request. This prevents
the user needing to log in again or unnecessary JWT re-issuance.
If, for example, your app will not need to switch user roles and the user
only needs one role, for instance: user, you can just issue a JWT with
x-hasura-default-role set to user and x-hasura-allowed-roles set to
["user"] and not send the x-hasura-role header in the request.
This setup is designed so that there is one authoritative way to construct
your JWT token for the Hasura Engine which can cover a wide range of use
cases.
------------------------------
Let me know if this answers your question
—
Reply to this email directly, view it on GitHub
<#10098 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEZ7BOINOEPNG3TQ3IYJO2LYOTI6VAVCNFSM6AAAAABBZZKCHGVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DCMRZGYZDK>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
Hello, would be able to help?
…On Mon, Jan 15, 2024, 7:12 PM ahir jere ***@***.***> wrote:
Hello,
Thank you for your response.
My issue is exactly the opposite, in my case, the user will have multiple
roles, eg. Editor and Viewer.
in this case, in my JWT token, i will have only x-hasura-allowed-roles,
which will contain these 2 values
if i use this token, hasura engine, throws error: x-hasura-default-role is
required
please let me know how i can proceed
Thank You
On Mon, Jan 15, 2024 at 12:40 PM Anon Ray ***@***.***>
wrote:
> From the docs
> <https://hasura.io/docs/latest/auth/authentication/jwt/#hasura-jwt-format>
> :
>
> To summarize, x-hasura-allowed-roles session variable contains a list of
> all the roles that the user can assume and the x-hasura-role header tells
> the Hasura Engine which role to use for the request, and if that is missing
> then the x-hasura-default-role session variable will be used.
>
> This setup makes it more convenient for a JWT to only need to be issued
> once with a list of allowed roles for the user, and then allow the client
> to decide which of those roles to actually use for a request. This prevents
> the user needing to log in again or unnecessary JWT re-issuance.
>
> If, for example, your app will not need to switch user roles and the user
> only needs one role, for instance: user, you can just issue a JWT with
> x-hasura-default-role set to user and x-hasura-allowed-roles set to
> ["user"] and not send the x-hasura-role header in the request.
>
> This setup is designed so that there is one authoritative way to
> construct your JWT token for the Hasura Engine which can cover a wide range
> of use cases.
> ------------------------------
>
> Let me know if this answers your question
>
> —
> Reply to this email directly, view it on GitHub
> <#10098 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AEZ7BOINOEPNG3TQ3IYJO2LYOTI6VAVCNFSM6AAAAABBZZKCHGVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DCMRZGYZDK>
> .
> You are receiving this because you authored the thread.Message ID:
> ***@***.***
> com>
>
|
Beta Was this translation helpful? Give feedback.
-
hello, suppose for example, i have 2 roles: reviewer and editor.
with hasura we can provide, x-hasura-default-role or x-hasura-role to be either: reviewer or editor, but we can pass both the roles in x-hasura-allowed-roles.
my question is, can we not provide, x-hasura-default-role and x-hasura-role. we provide only x-hasura-allowed-roles. if we provide both roles in allowed roles, the user should have permissions defined in both roles
i found a similar post, but its marked as closed
#877 (comment)
Beta Was this translation helpful? Give feedback.
All reactions